The report also found that 55% of the total lines of code for all projects were written in a memory-unsafe language. 

According to the report, memory-unsafe languages — such as C or C++ — place the responsibility of managing memory use and allocation on developers, which can lead to memory-safety vulnerabilities like buffer overflows and use after free if they make a mistake. Memory-safe languages shift that responsibility to the compiler or interpreter and can significantly reduce the opportunity to introduce memory-safety vulnerabilities, which have led to vulnerabilities like Morris Worm, Slammer Worm, Heartbleed, and BLASTPASS. 

“By using memory-safe languages, programmers can focus on producing higher-quality code rather than perilously contending with low-level memory management,” said Omkhar Arasaratnam, GM at the OpenSSF.

This new report follows the White House Office of the National Cyber Director’s (ONCD) call earlier this year on technology leaders to adopt memory-safe languages. 

“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory safe programming languages,” said National Cyber Director Harry Coker at the time.  

According to Chris Hughes, CISSP, chief security advisor at Endor Labs and Cyber Innovation Fellow at CISA, one of the reasons why so many projects are written in memory-unsafe languages is that for many years those languages were widely adopted and it’s only been recently that there’s been a move to encourage developers to utilize memory-safe languages. 

He explained that it will be difficult to transition existing projects to memory-safe languages because of the resources, effort, and expertise required, which maintainers of the projects may not have.  

“That said, there are also opportunities for organizations to help facilitate the transition through resources including monetary incentives, as well as potentially development support to facilitate the transition,” said Hughes. “Of course, there still remains issues with third-party and transitive dependencies as discussed in the report, meaning even if the projects were re-written, they would need to conduct dependency analysis and ensure that transitive dependencies are also accounted for when it comes to memory safety. Lastly, efforts would need to be made to ensure the developers and maintainers implement secure coding practices to ensure memory safety safeguards aren’t undermined.”

You may also like…

White House recommends software be written in memory safe languages to improve cybersecurity

Are developers and DevOps converging?

The post CISA report highlights need to transition to memory-safe languages appeared first on SD Times.

The project was created jointly by the Open Source Security Foundation (OpenSSF), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security Science and Technology Directorate (DHS S&T). 

Protobom allows companies to read software bill of materials (SBOM) data, create their own SBOMs, and translate SBOMs into different standard formats. 

According to OpenSSF, there are many SBOM formats and schemas out there, which can be challenging for companies. The goal of the new project is to provide a “format-neutral data layer on top of the standards that lets applications work seamlessly with any kind of SBOM.”

OpenSSF also explained that by integrating Protobom into applications that link SBOM and vulnerability information, organizations will be able to more quickly access the necessary patches and mitigations to keep their software supply chains safe. 

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently,” said Allan Friedman, senior advisor and strategist at CISA. “Protobom is a step towards greater efficiency and interoperability by translating across the widely used formats so that tools and organizations can focus on what’s important. It is a positive solution that helps shape a more transparent software-driven world.”

Omkhar Arasaratnam, general manager of OpenSSF, added: “Protobom not only simplifies SBOM creation, but also empowers organizations to proactively manage the risk of their open source dependencies. The security of open source software requires partnership between the public sector, private sector and the community. The OpenSSF is proud to be a part of this mission.”

The post OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs appeared first on SD Times.

The form, which was jointly developed by CISA and the Office of Management and Budget (OMB), will be required to be filled out by any company providing software that the Government will be using. It will help ensure that the software was developed by companies that prioritize security. 

“The requirements in the form represent some fundamental secure development practices that suppliers looking to sell software to the Federal government should be in a position to meet if they want to play in the Federal regulated ecosystem,” said Chris Hughes, chief security advisor at Endor Labs and Cyber Innovation Fellow at CISA.

One of the requirements in the form is that the software be developed in a secure environment. This includes separating production and development environments, minimizing use of insecure products in the code, enforcing multi-factor authentication across the environments, encrypting sensitive data, implementing defensive practices like continuous monitoring and alerting, and routinely logging, monitoring, and auditing trust relationships. 

“Practices such as separating development and production environments, implementing logging and MFA are critical security controls that should exist in any modern secure software development environment,” said Hughes.

Another requirement is to make a good-faith effort to maintain trusted supply chains by using automated tools for monitoring third-party code, and maintaining provenance for internal code and third-party components.

It also requires the regular use of automated tools that check for security vulnerabilities, including having a policy in place to disclose and address known vulnerabilities.

Hughes believes there are some elements missing from this form, however. For instance, it doesn’t require the use of threat modeling or memory safety, which has been something that CISA has been pushing for. He said it also allows the CEO to designate others to be able to sign off on the attestation as a potential scapegoat if things go wrong or the attestation was falsified.  

“On one hand we hear that cybersecurity needs to be a boardroom issue and CISA even calls for C-suite involvement in their publications around secure-by-design/default, but then this form allows for this key attestation activity to be delegated to someone else in the organization and potentially keeping it from being as visible to the C-suite/CEO and executive leadership team,” said Hughes. 

Hughes believes that the software producers who will have the hardest time meeting the attestation requirements are those that haven’t implemented secure software development practices already. 

“They will need to assess their current development practices, identify deficiencies and implement plans to rectify them,” he said. “This of course takes time and resources, which smaller startups and immature organizations have finite access to, especially against competing demands for speed to market, revenue, return for investors, feature velocity and more.”

The form will be available for online submissions on CISA’s website starting later this month.

The post Biden-Harris Administration to require secure software development attestation form for government software appeared first on SD Times.

Over the course of the Open Source Software (OSS) Security Summit, CISA laid out three key actions that it will be taking.

First, it will work with open source maintainers to get them to adopt the Principles for Package Repository Security, which is a framework that outlines maturity levels for package repositories that was developed jointly by CISA and the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group. 

Several open source organizations have already agreed to use the framework for at least some of their projects, including the Rust Foundation, Python Software Foundation, Packagist and Composer, npm, and Maven Central. 

“OpenSSF’s mission is to improve the security of open source software. Package repositories are critical infrastructure for the open source community. We thank CISA for facilitating this Open Source Software (OSS) Security Summit to help secure package repositories. Through continued cooperation in activities such as this summit and the Principles for Package Repository Security, we will improve the security of open source package repositories for everyone,” said Omkhar Arasaratnam, general manager of OpenSSF.

Second, CISA is launching a new initiative that will enable better information sharing of cyber defense information with open source maintainers.

Third, it will be publishing the materials from a tabletop exercise that was performed at the summit. This will allow any open-source maintainer to use those materials and lessons learned to improve their security. 

The Open Source Software (OSS) Security Summit continues CISA’s ongoing efforts to secure the open source supply chain, such as the roadmap for open source security it released last fall.  

CISA Director Jen Easterly added: “Open Source Software is foundational to the critical infrastructure Americans rely on every day. As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”

The post CISA concludes two-day summit on open source security with three action items appeared first on SD Times.

This comes on top of persistent supply-chain security vulnerabilities, insider threats, and more that have only grown this year. 

The Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled a roadmap with five key efforts aimed at the responsible and secure deployment of AI. 

Firstly, the agency commits to responsibly employing AI to fortify cyber defense, adhering to applicable laws and policies. Second, CISA aims to assess and ensure the default security of AI systems, fostering safe adoption across various government agencies and private sector entities. The third effort involves collaborating with companies to safeguard critical infrastructure from potential malicious uses of AI, addressing threats, vulnerabilities, and mitigation strategies.

In its fourth effort, CISA emphasizes collaboration and communication with other agencies, international partners, and the public to develop policy approaches concerning security and AI. Lastly, the agency plans to bolster its workforce by expanding the number of qualified AI professionals through education and recruitment efforts. 

The dominant player in the AI space, OpenAI, also recognizes the need for training and secure AI use. 

OpenAI this year introduced the Cybersecurity Grant Program, a $1 million initiative designed to advance and quantify AI-driven cybersecurity capabilities while promoting high-level discourse in the field. 

Seeking collaboration with security professionals globally, the company aims to rebalance power dynamics in cybersecurity through the strategic use of AI technology and fostering coordination among like-minded individuals. The overarching goal is to prioritize access to advanced AI capabilities for security teams, with a commitment to developing methods that accurately measure and enhance the efficacy of AI models in the realm of cybersecurity, thereby ensuring collective safety.

Also, this year showed that many applications still have many vulnerabilities and many more projects aren’t actively maintained, particularly in the open-source space. 

In January, application security testing solution provider Veracode released a report showing that nearly 32% of applications are found to have flaws at the first scan, jumping to almost 70% once they have been in production for five years. The report also stated that after the initial scan, most apps enter a safety period of about a year and a half, where 80% do not take on any new flaws.

In 2023, there was a 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s annual State of the Software Supply Chain report. 

The report highlights a concerning statistic, finding that merely 11% of open-source projects are actively maintained. Despite this, Sonatype emphasizes that 96% of vulnerabilities in open-source software are preventable. 

The report revealed that 2.1 billion downloads of open-source software occurred, and among them were instances where known vulnerabilities existed, and newer versions addressing these issues were available. This underscores the need for increased attention to maintaining and updating open-source projects to mitigate potential security risks associated with outdated software versions.

Organizations are taking the initiative to fix the vulnerabilities

Recognizing the widespread security challenges, major corporations are proactively launching initiatives to address and counteract the proliferation of security issues in today’s digital landscape.

In March, the White House released a new plan for ensuring security in digital ecosystems. It hopes to “reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society.”

Achieving this will require shifts from how we currently view cybersecurity. The Biden-Harris administration plans to rebalance the responsibility of security from individuals and small businesses and onto organizations that are best positioned to reduce risk for all. They also plan to rebalance the need to defend security risks today by positioning organizations to plan for future threats. 

In October, Google enabled passkeys as the default authentication method in Google accounts. Passkeys offer a convenient and faster way to log in using fingerprints, face scans, or pins. They are 40% quicker than traditional passwords and boast enhanced security due to advanced cryptography, according to Google in a blog post. They also alleviate the burden of remembering complex passwords and are more resistant to phishing attacks.

Soon after, Microsoft announced its Secure Future Initiative, which consists of three main pillars: defenses that use AI, advances in software engineering, and international norms to protect civilians from cyber threats. Microsoft aims to establish an “AI-based cyber shield” to safeguard both customers and nations, expanding its internal protective capabilities for broader customer use. In response to the global shortage of cybersecurity skills, estimated at around 3 million people, Microsoft plans to leverage AI, particularly through tools like Microsoft Security Copilot, to detect and respond to threats. Additionally, Microsoft Defender for Endpoint will utilize AI detection methods to enhance device protection against cybersecurity threats.

Luckily, as technology advances, developers and organizations can turn to established frameworks and best practices released this year. 

In June, the Open Worldwide Application Security Project (OWASP) announced the launch of OWASP CycloneDX version 1.5, a new standard in the Bill of Materials (BOM) domain that specifically targets issues of transparency and compliance within the software industry. The recent release expands BOM support beyond its existing coverage of hardware, software, and services. The primary goal is to enhance organizations’ capabilities in identifying and addressing supply chain risks, offering a more comprehensive tool for managing and mitigating potential vulnerabilities.

In September, the National Institute of Standards and Technology (NIST) released a draft document detailing strategies for incorporating software supply chain security measures into CI/CD pipelines. In the context of cloud-native applications employing a microservices architecture with a centralized infrastructure like a service mesh, the document outlines the alignment of these applications with DevSecOps practices.

The post Year in Review: Security appeared first on SD Times.

This follows President Biden’s Executive Order on AI last month. “In last month’s Executive Order, the President called on DHS to promote the adoption of AI safety standards globally and help ensure the safe, secure, and responsible use and development of AI,” said Alejandro N. Mayorkas, Secretary of Homeland Security. “CISA’s roadmap lays out the steps that the agency will take as part of our Department’s broader efforts to both leverage AI and mitigate its risks to our critical infrastructure and cyber defenses.”

CISA’s roadmap details five efforts that the organization will be leading and outlines its approach to AI in cybersecurity.

First, it will responsibly use AI to strengthen cyber defense, while following applicable laws and policies, such as those that address federal procurement, privacy, civil rights, and civil liberties.

Second, it will assess AI systems and assure they are secure by default. This will help them drive safe AI adoption across federal civilian government agencies, private sector companies, and state, local, tribal, and territorial (SLTT) governments. CISA will be developing best practices for secure AI development and will also develop recommendations for red-teaming generative AI.

Third, it will help companies protect critical infrastructure from AI being used maliciously by collaborating around threats, vulnerabilities, and mitigations.

Fourth, it will collaborate and communicate with other agencies, international partners, and the public to develop policy approaches related to security and AI. 

Fifth, it will expand the number of qualified AI professionals in its workforce by providing education on AI systems and techniques and recruiting those who have the proper expertise. Its internal training will reflect not only the technical aspects of AI, but also the legal, ethical, and policy aspects.

“Artificial Intelligence holds immense promise in enhancing our nation’s cybersecurity, but as the most powerful technology of our lifetimes, it also presents enormous risks,” said Jen Easterly, director of CISA. “Our Roadmap for AI, focused at the nexus of AI, cyber defense, and critical infrastructure, sets forth an agency-wide plan to promote the beneficial uses of AI to enhance cybersecurity capabilities; ensure AI systems are protected from cyber-based threats; and deter the malicious use of AI capabilities to threaten the critical infrastructure Americans rely on every day.”

The post CISA outlines five efforts for safely adopting AI in newly published roadmap appeared first on SD Times.

Now the U.S. federal Cybersecurity & Infrastructure Security Agency (CISA) is building on that work with a new roadmap specifically for securing open-source software (OSS). 

“CISA recognizes the immense benefits of open source software, which enables software developers to work at an accelerated pace and fosters significant innovation and collaboration. With these benefits in mind, this roadmap lays out how CISA will help enable the secure usage and development of OSS, both within and outside the federal government,” CISA wrote in the document for the roadmap. 

The roadmap defines two major types of open-source vulnerabilities. The first is the cascading effects of vulnerabilities for widely used open-source software. It cited Log4Shell as an example of the widespread consequences that could result from open-source software being compromised. 

The second is supply chain attacks on open-source repositories, which could result in negative downstream impacts, such as a developer’s account being compromised and an attacker using it to commit malicious code. 

The roadmap lists four key priorities: establishing its own role in supporting security of open source, driving visibility into usage and risks of open source, reducing risks to the federal government, and hardening the open-source ecosystem. 

According to CISA, this will all help it achieve its vision for open-source software, which is one in which “every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community.”

Dan Lorenc, co-founder and CEO of supply chain security company Chainguard, feels that CISA has done a good job in segmenting the problems in this field and then prioritizing work to address them. 

He also said they did a good job at recognizing that the work needs to “happen upstream, and CISA employees will need to engage directly with communities,” though he said he still remains skeptical on how that will actually go, but is trying to stay optimistic. 

Lorenc recommends the government put some efforts into actually funding open-source projects, which the roadmap currently doesn’t address at all. 

“The government doesn’t have a great reputation for helping out with direct code or other contributions, but they do have the ability to help fund work already being done to achieve many of these roadmap items, such as memory safety, vulnerability remediation and SBOM tooling,” Lorenc told SD Times. “The government collaboration model here can’t be ‘you push, we’ll steer.”

The post CISA releases roadmap for securing open-source software appeared first on SD Times.

Unlike other approaches to security, a company called SourceClear started by raising funds to improve software security in October, saying that its software works inside a developer’s workflow and with a team’s tools, enabling visibility into the risks of using other people’s code in real time as the developers work.

Also released in October was Cigital’s most recent findings of its Building Security in Maturity Model, declaring that software security is in fact lagging. With the release of this study, the application security firm added the healthcare industry to its analysis, joining financial services, independent software vendors, and electronics. Gary McGraw, CTO of Cigital, hoped that these findings would get companies to “buckle down” and focus more on security in the months to come.

October was a big month for announcements, as the government also joined in on the fight for cybersecurity. The U.S. Senate passed a controversial cybersecurity bill known as The Cybersecurity Information Sharing Act (CISA) in October, and if the bill is signed into law, it would allow businesses and government agencies to share information related to hackers and their methods. Several organizations like Twitter, Yelp and Reddit, spent months trying to raise awareness about it and why it shouldn’t be passed.

Other companies were busy handling their own security issues, like Dell  when it had to respond to concerns about a certificate called eDellRoot that was supposed to make things fast and easy for customers, but instead introduced a hole in security.

Instead of handling security issues, Docker was busy improving security. It had a lot of changes, starting in August when it introduced Docker Content Trust, which uses digital signatures to secure Dockerized content. In October, CoreOS and Docker, along with a group of industry leaders, wanted to create common standards for software containers through the Open Container Project, which included making sure they had a well-designed software container specification that was secure across all platforms. And, in November, Docker announced new security enhancements that safeguard and protect Dockerized distributed applications, without impacting the developer’s workflow.

To sum it up, Verizon released its 2015 Data Breach Investigations Report, which revealed that while cyber threats are getting more sophisticated, many cyber attacks still rely on decades-old techniques.

That being said, in June, cybersecurity firm Kaspersky Lab announced that it had experienced an advanced and stealthy attack on its own internal networks. Sony had to settle after its systems suffered a breach in November from hackers whom the company claimed were angry about the movie “The Interview.” That breach led to the release of personal data, and former employees say it happened due to company negligence. Toy giant VTech also saw a breach in November, which caused hackers to access 6 million children’s information. Experts say it was due to a lack of common steps to protect passwords.

The age-old battle of software security continues, and mobile applications pose even more problems for both the developers and the applications themselves. Experts say that the responsibility of securing mobile apps shouldn’t be on just the developers. Instead, security should be a coordinated effort between the business and development teams, and this is something to consider moving into 2016.

The post 2015: Security remains a stepchild appeared first on SD Times.

Each task will have at least one mentor who will help students and review their work. In addition, students will have access to beginner tasks that can help them understand where to get started.

Google releases over-the-air updates
Google has announced its latest Android over-the-air update as part of the company’s monthly security release process. The latest update aims to address vulnerabilities in Nexus devices.

The most severe issue in this update includes a critical vulnerability that could allow enable more code execution through e-mail, Web browsing and MMS when users process media files. There have been no reports that these vulnerabilities have been exploited, and partners have already been notified and provided updates on these issues.

A full list of vulnerabilities is available here.

IBM Swift Sandbox lets coders try Swift easily
With Apple’s programming language Swift becoming open source earlier this month, IBM’s Swift developers decided to make IBM Swift Sandbox available to developers on developerWorks, which is IBM’s official developer program.

IBM Swift Sandbox is an interactive website that lets developers write in Swift code and execute it in a server environment, or on top of Linux. Each sandbox runs on IBM Cloud in a Docker container. The latest versions of both Swift and its library are available.

IBM engineer Patrick Bohrer wrote in a blog post that there are some things on the horizon for IBM Swift Sandbox, including scaling up to handle Swift-level “excitement,” and sharing snapshots and code to assist the Swift.org development community.

EFF wants to stop ‘cyber’ bills
The Electronic Frontier Foundation (EFF) wants to stop cybersecurity bills from getting passed. The organization has set up the Stop the “Cyber” Bills campaign to get more individuals on board. Currently, the organization is turning its efforts to the Cybersecurity Information Sharing Act (CISA), which it said would allow companies to spy on users and share their information with the NSA.

“The bills ignore reality: Experts can already share technical information to stop threats without sharing unrelated personal information. And some experts even say the bills may not help computer security,” the organization wrote on its website.

The EFF is asking individuals to ask representative Michael McCaul, chairman of the House Committee on Homeland Security, to fight for users privacy protections. According to the organization, congressional leadership and members of the Intelligence Committee are trying to pressure McCaul into removing privacy protections from the CISA’s final text.

The post Google Code-in competition, Android OTA updates, and IBM Swift Sandbox—SD Times news digest: Dec. 8, 2015 appeared first on SD Times.

The Cybersecurity Information Sharing Act (CISA), if signed into law by President Barack Obama, would allow businesses and government agencies to share information related to hackers and their methods. The goal of the bill is to use shared information related to cybersecurity attacks from business to business to assist organizations and agencies alike to defend themselves from hackers or cyber criminals.

Fight for the Future (FFTF), a digital rights group, is strongly against CISA and said the bill has been discredited by experts, tech companies, and advocacy groups across a wide spectrum of industries. Evan Greer, campaign director of FFTF, said if Obama does not veto the bill, he will be showing he “never cared about the open Internet.”

(Related: Twitter joins fight against CISA)

“This vote will go down in history as the moment that lawmakers decided not only what sort of Internet our children and our children’s children will have, but what sort of world they will live in,” said Greer in a statement. “Every Senator who voted for CISA has voted for a world without freedom of expression, a world without true democracy, a world without basic human rights.”

Critics of CISA are concerned about the liability and privacy issues that companies will be exposing themselves to when handling data such as customer records and personal information. But recent amendments to the bill require businesses and government agencies to scrub records of data that can be used to identify individuals, according to Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable, an organization that represents financial services companies.

“[Companies think] CISA is a surveillance program, and that it’s turning over personal information to the government,” he said. “They made those arguments, but I think the votes made it pretty clear that they are not based in the realities of the legislation. The legislation is clear that personal information must not be part of the sharing equation.”

Kratovil also said that CISA is voluntary, and if a company does not want to participate, there is nothing to “compel a company” to do so; only if they are willing.

Those that would not be willing would be the Electronic Frontier Foundation (EFF), the Computer and Communications Industry Association—whose members include Facebook, Google and Yahoo—Salesforce, Twitter, and presidential candidates Rand Paul and Bernie Sanders, and more.

The EFF said that the bill failed to address the real reasons hackers are able to steal data. In a release, the EFF said that the real cybersecurity problems behind computer data breaches like Target’s are not addressed in CISA.

Carl Herberger, vice president of security solutions at Radware, said that the bill does not address cybersecurity problems like “the DDoS attacks, the problems of people or countries attacking from non-judicially friendly domiciles, and, lastly, the issues of macro-level IT trends, such as IoT, SDN and Cloud migrations.” He also said that it brings up another question of U.S. citizens having a right to privacy.

CISA could also have an impact globally, according to Mike Weston, CEO of Profusion, a data science consultancy group in London. He said that CISA passing could lead to some negative commercial consequences and challenges with a World Wide Web that is supposed to be free and open. It could also affect smaller U.S. companies that seek to establish businesses in other countries for that matter, when it involves personal data being shared.

The next step for both supporters and critics is to wait for CISA to move to a conference committee made up of the House of Representatives and the Senate, who will determine the bill’s final language.

The post Cybersecurity bill brings backlash despite passing Senate appeared first on SD Times.